Hi,

We have a java application that uses BOXI SDK API’s. As part of fixing security vulnerability, we are trying to use place holders in our SQL statements and would like to know if such a SQL would be supported in BOXI R3.1.

Really appreciate your thoughts.

Thanks and Regards,
Arun

achegu (BOB member since 2011-05-09)

Probably not, as the Query Builder language is only “SQL-ish”. What exactly are you intending to do?

joepeters (BOB member since 2002-08-29)

Thanks for your response joepeters. As part of SQL injection fixes (to prevent malicious fiddling of the urls), we would like to convert the following SQL statement:

strQuery = “SELECT * FROM CI_INFOOBJECTS WHERE SI_KIND=‘Category’ AND SI_NAME in (” + categories + “)”

to

strQuery = "SELECT * FROM CI_INFOOBJECTS WHERE SI_KIND=‘Category’ AND SI_NAME in (?,?,?);

where ? is actually a placeholder.

Regards,
Arun

achegu (BOB member since 2011-05-09)

Oh, parameters. No, you can’t do that, although it would be very useful.

But honestly there’s not much risk of SQL injection in CMS queries, since there is no UPDATE or DELETE operation, or the ability to retrieve sensitive information, or the ability to submit multiple queries at one time. As long as your parameters are properly escaped, there should be little risk.

joepeters (BOB member since 2002-08-29)

Thanks joepeters. You are right, we may not have to worry about this since DML statements are not allowed in CMS queries.

Regards,
Arun

achegu (BOB member since 2011-05-09)